Certification Advice

[Questionable]

Hi EH,

Just a quick question about any certifications it would be worth while taking. I'm currently a student studying Computer Security & Ethical Hacking in the UK, I'm on placement as a Software Developer so I am learning Programming principles. I will hopefully graduate with a 1st degree, my question is, is it worth taking a few certificates along with my degree? I know there are certs like CISSP, CREST <-- supposed to be incredibly hard and CEH but which is the best bang for your buck?

I'd quite like to go towards the web app security side || maybe PCI DSS? I still have quite a while to think about this, but any advice would be great.

Edit: If you know any certs which are worth while taking for web app's or that are quite well rounded, that would be appreciated

Thanks,

Questionable

[3xban]

Hello Questionable, welcome to EH.Net.  To give you a quick answer, check around on the forums.  This question has been answered a number of times. 

Since you are still in school, it would be more beneficial for you to get some entry level experience.  You will need to have proven experience in a number of the domains in CISSP in order to qualify for the cert.  It is designed more for managers within the Information Security realm and is not always required for InfoSec jobs.  At most it might be an HR hurdle which can be overcome by other skills/certs.  A good reference you can use for technical certs would be the SANs Roadmap: https://www.sans.org//security-training/roadmap.pdf

I don't expect you to go and drop the cash for a SANS course, but it might provide you with some information as to where you want to start looking.

[H1t M0nk3y]

Hi Questionable and welcome to the forum!

If you know any certs which are worth while taking for web app's or that are quite well rounded, that would be appreciated

For this one, I suggest you first take a more broad and entry-level certification before aiming at web applications. And don't get me wrong, "entry-level certification" doesn't mean easy, but they tend to cover lots of different areas used in other more specialized certs/fiels.

For example, web app certifications will focus more on SQL injection, XXS and the likes than on TCP/IP network protocole and post-exploitation skills. I believe that knowing these things before going to web app cert world would only help you in the long run.

Also, what is your long term goal in information security? I am asking because forensic investigation is quite different than being a manager who writes policies... Let us know and we will guide you!

And like 3xban said, experience and contacts are very important too...

Good luck!

[ajohnson]

You should probably start with something like eLearn's eCPPT. It's affordable and covers a good deal of material, including web app testing. It's not going to be as impressive as a SANS cert, CISSP, etc on your CV, but you can always tack those on over time.

[Questionable]

Thanks for the replies guys! eCPPT looks great, I'm currently reading The Web Application Hackers Handbook, it's pretty insightful and rounding my knowledge, I have been networking a lot where I live at OWASP chapter meetings and other conferences, so I hopefully will have my foot in the door before I finish University, after University, my first job would be towards the pen testing field.

The only issue I'm looking at, it doesn't offer a lot of information on individual purchases, more of a company based thing, does anyone know the price for the eCPPT and if they do any sort of student discount? probably not, but it's always worth a shot.

Any sort of reading material you could suggest for the eCPPT would be great, but I know it comes with a bucket load of videos and tutorials when you purchase it.

I'm still narrowing down my choices but web applications seems to be the thing which interests me the most, but even if I drift off into another part of the sector, I don't think it'll be a waste of time.

Thanks again,

Questionable.

[hayabusa]

Armando (eLearnSecurity) regularly posts discounts on here, as well as running promo's, so if you want to know if anything's currently running, give him a shout.  He's a member here, too.  (PM him)  His username is 'Armando'

Good luck!

[Questionable]

I sent Armando a pm, waiting on a reply

[Grendel]

My suggestion when asked a similar question is to see what requirements are out there for jobs that you would like to do. For example, there is a job on Dice.com for web hacking ( http://bit.ly/ZH952s (perishable link)), that provides a list of things the employer wants to see it their employees. they even have a questionnaire on their web site for the app pentest job.

In this case, it looks like they want someone well versed in web languages, not someone with any certs (which I find typical with the programming track into professional pentesting)... and perhaps someone known in the community of hacking.

Now, if you were working your way through networking or system administration as a path to pentesting, certs can play a bigger role in your profession.

[H1t M0nk3y]

I find that certs are the only way to force me to learn usefull but boring things. Without a goal/carrot in front of my, I either get lazy or study only what I like.

There have been many discussions on certs vs experience on this site and I think most people agree that experience is more important, while *some* certs open doors (get you through HR screening) and *other* certs/training programs make you a better pentester.

For example, CISSP vs OSCP are pretty much opposite to each others...

[Seen]

I find that certs are the only way to force me to learn usefull but boring things. Without a goal/carrot in front of my, I either get lazy or study only what I like.

There have been many discussions on certs vs experience on this site and I think most people agree that experience is more important, while *some* certs open doors (get you through HR screening) and *other* certs/training programs make you a better pentester.

For example, CISSP vs OSCP are pretty much opposite to each others...

I completely agree.  I get callbacks on about 80% of the jobs I submit my resume for, but I have trouble passing some of the technical interview questions, so I'm more focused on things like eCPPT and OSCP which will give me knowledge.  On the other hand, someone who knows more than I do but doesn't get past HR screenings would probably do better to get a CEH or CISSP.